Channels

Services

Back door in ProFTPD FTP server

Unknown attackers penetrated the server hosting the open source ProFTPD FTP server project and concealed a back door in the source code. The back door provides the attackers with complete access to systems on which the modified version of the server has been installed. On installation, the modified version informs the group behind the back door by contacting an IP address in the Saudi Arabia area. Entering the command 'HELP ACIDBITCHEZ' results in the modified server displaying a root shell.

Ironically, to place their back door, the attackers used a zero day vulnerability in ProFTPD itself, which the developers were using to make the source code available to users. The modification was carried out on the 28th November and discovered and reverted on 1st December. Because the project's main server, which also feeds various mirrors via rsync, was affected, the modified code has probably been delivered via official mirrors right up until today.

Users can use the MD5 hash or PGP signature to determine whether they have downloaded the bad version of the source code. The developers have not revealed any details of the vulnerability used to penetrate the project server. The attackers may have exploited the still unpatched vulnerability in the SQL module highlighted in the hacker magazine Phrack in mid November.